Seems to me that the sneaky spammers are getting around getting caught in the blacklist cache by rotating their spam amongst all the PC's in their botnet. Since it takes a long time to go through thousands of PC's (and their unique IP's) that some herders have, a lot of attempts expire and the spam keeps pounding away. Gone are the days when a dictionary attack came from a single IP and it was easy to detect and the blacklist cache effectively stopped it.

I know greylisting has been discussed before and rejected with the blacklist cache being the response to the greylisting request. And I even wholeheartedly agreed with the decision.

But with the change in tactics the question of greylisting needs to be brought up again. Anyone feel the same or is it just me beating that same old dead horse.

I myself are already greylisting IPs. Even though its not the same as doing it thru SF, I use the firewall to accomplish the same thing. If anyone want to know what the IPs are, feel free to visit my site at www.spacequad.com

Once SpamFilter Enterprise is released officially within the next few days, we'll start working on two new filters which we hope will address the issue of spammers using "zombie" machines. As WebGuyz pointed out, often times the same spam is sent from a multitude of different machines. We're in the initial stages of developing a huge database, similar to the SFDB, that will contain samples of both content and images, that will be used to help i the fight of these new types of attacks.

Is this kind of like 'dna fingerprinting' I see other spam filters adverstising?

Sound like it might be really great, but rather complex. In the SmarterMail forums (thats the mail server package I use) they are raving about greylisting really cutting down on spam, but of course, I do all my spam filtering thru SFI and can't really tell how good a job it does.

We're in the initial stages of developing a huge database, similar to the SFDB, that will contain samples of both content and images, that will be used to help i the fight of these new types of attacks.

As I was sitting there writing yet another filter today for some persistent spam I realized that majority of the spam fighting we do is reactive, we deal with it after it hits the mailbox by writing filters or using Surbl lists, etc. Even the new db system your talking about has to spend cpu cycles and other resources reading the spam in and then figuring out if its spam or not.

Greylisting works on the assumption all mail is spam unless the same attempt is made a second or third time, and the belief that most spam is fire and forget coming from a large population of zombies PC's in a botnet that does not retry a failed message send. It builds a whitelist of good ip's and never again fails messages coming from that combo of ip/sender/recipient.

I feel that this feature would be more desireable in the short term to help fight these spammer turds.

You cannot post new topics in this forumYou cannot reply to topics in this forumYou cannot delete your posts in this forumYou cannot edit your posts in this forumYou cannot create polls in this forumYou cannot vote in polls in this forum